First Mac hacked at CanSecWest

[BeyondCloister]

the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days. In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page"

The above says it all! What a Farse!!!

So when they allowed a URL to be visited using Safari access was achieved.


Does this mean that Mac users using Safari are safe because the rules were relaxed to allow this?

All the relaxing of the rules allowed was the simulation of a careless user instead.

If someone saw a link to a website containing a hilarious video of something happening to a Windows user and they decided to click on it and end up at this "specially-constructed Web page" would they still be safe because the rules had been relaxed?

 

[shawnce]

we will reap the benefits from bad press.

Apple is always very interested in correcting security issues that they miss finding themselves... they don't need to be shamed into doing anything.

 

[EagerDragon]

I know that they weren't using the latest Security Update 2007-004 since that was just released by Apple late yesterday.

Also note that since this was day 2 of the contest (from ZDNet story this morning)....




EDIT: A link to a story describing how it was "hacked" is here.

Note how the bar was intentionally lowered however...

This is in my area I like to see the exact nature of this hack. The link you provided is not good anymore.

Anyone has a better link to it?

 

[deputy_doofy]

I thought all big software companies did this sort of thing as a rule any ways. I saw a documentary once about hacking and it basically said that many of the top hackers find employment working for the companies they used to hack the products of.

Posts 45, 49, and 55 all have the same exact post from you. Are you sure YOU didn't get taken over by a bot?

 

[shawnce]

It would be interesting to see if the malicious webpage used would affect the WebKit nightlies you can get form WebKit.org. If the current nightly is immune it is possible that someone reviewed changes being made to WebKit and thru that worked out an attack to an issue that has since been fixed but not yet been integrated into a Safari build for the general public.

Of course using a fuzzer you can stumble over things like this and then build up an attack for the vulnerability.

Just something to ponder...

 

[marco114]

People, please read posts

Does this mean that Mac users using Safari are safe because the rules were relaxed to allow this?​

As several here have already noted, the only requirement is that you click a specially formatted link to visit a specific web page that makes the exploit run. This means that I could make some link like this and if you clicked on it, it could run some malicous code on your system, possibly opening up your machine. Then mayber I could record your IP address on my page and then hack into your system knowing that you have been exploited. This is all assuming that I knew how to craft the exploit. But none of us do, because it hasn't been disclosed (yet).

All the relaxing of the rules allowed was the simulation of a careless user instead.​

Not true. If you go to web pages in Safari, then it's very possible that you could be affected on an unpatched machine. I assume that Apple will have this patched within a week.

If someone saw a link to a website containing a hilarious video of something happening to a Windows user and they decided to click on it and end up at this "specially-constructed Web page" would they still be safe because the rules had been relaxed?​

No they would not be safe. The rules being laxed had nothing to do with the exploit. The attack can't happen remotely which is good, it requires user action. However, the user action is something we do all the time and don't realize it could happen. So it's a bad exploit. Going to a webpage is something most of us do 1000s of times a day.

Imagine if I posted a link on new photos of the iPhone! then I put some photos up but I also had this extra bit of code in there so you didn't even know you were exploited.

That's what makes this a bad exploit and it should be delt with soon.

 

[BeyondCloister]

Does this mean that Mac users using Safari are safe because the rules were relaxed to allow this?​

As several here have already noted, the only requirement is that you click a specially formatted link to visit a specific web page that makes the exploit run. This means that I could make some link like this and if you clicked on it, it could run some malicous code on your system, possibly opening up your machine. Then mayber I could record your IP address on my page and then hack into your system knowing that you have been exploited. This is all assuming that I knew how to craft the exploit. But none of us do, because it hasn't been disclosed (yet).

All the relaxing of the rules allowed was the simulation of a careless user instead.​

Not true. If you go to web pages in Safari, then it's very possible that you could be affected on an unpatched machine. I assume that Apple will have this patched within a week.

If someone saw a link to a website containing a hilarious video of something happening to a Windows user and they decided to click on it and end up at this "specially-constructed Web page" would they still be safe because the rules had been relaxed?​

No they would not be safe. The rules being laxed had nothing to do with the exploit. The attack can't happen remotely which is good, it requires user action. However, the user action is something we do all the time and don't realize it could happen. So it's a bad exploit. Going to a webpage is something most of us do 1000s of times a day.

Imagine if I posted a link on new photos of the iPhone! then I put some photos up but I also had this extra bit of code in there so you didn't even know you were exploited.

That's what makes this a bad exploit and it should be delt with soon.

I hope you don't think I was asking those questions for my own answers. They were rhetorical ones for the person going on about how relaxing the rules meant it was a false attack.

 

[shawnce]

That's what makes this a bad exploit and it should be delt with soon.

I think you may have missed that he was using hyperbole / rhetorical questions in his post to point out what you just pointed out to him.

 

[50548]

No. You're misrepresenting the nature of the exploit. From available information, if the details of the exploit were known, it could very easily happen in the real world.

The bug is apparently inside Safari, not OS X itself. Safari seems to have a bug in how it interprets page content, allowing a malformed web page or javascript to run arbitrary code on the machine. This requires the user to do nothing other than browse a web site. This is an unpleasant bug, the kind which has ravaged Internet Explorer's reputation. A hard-and-fast rule of a web browser should be: no matter what is viewed, the local machine should not be exposed. Please re-read my earlier posts.

Sorry, but IT IS FUD. They clearly set up "a specially constructed page" for that to happen. If there were no "special pages", there would be NO hack, end of story.

It's obvious that if the exploit in sent out, people may use it for evil purposes; but it's CLEARLY a custom-built security issue, and not a natural one that you can find in any honest website out there. Again: they HAD to set up a special page containing explicit access possibilities to the local machine. This simply does NOT exist in the normal world.

 

[BeyondCloister]

Sorry, but IT IS FUD. They clearly set up "a specially constructed page" for that to happen. If there were no "special pages", there would be NO hack, end of story.

It's obvious that if the exploit in sent out, people may use it for evil purposes; but it's CLEARLY a custom-built security issue, and not a natural one that you can find in any honest website out there. Again: they HAD to set up a special page containing explicit access possibilities to the local machine. This simply does NOT exist in the normal world.

Why can you people not understand this simple concept?

Step 1: Some one constructs this "special page". (Can happen in the normal world.)
Step 2: They plant a link to it in an honest website. (Can happen in the normal world.)

Step 3: You click on the link. (Can happen in the normal world.)

Step 4: You are compromised. (Can happen in the normal world.)

 

[iJawn108]

Wow that's not a lot for the prize to be honest. Vista 0 day's go for about $50,000 USD.

 

[slffl]

This kind of sounds like putting a 3rd party wireless card with it's own drivers into a Macbook and then yelling 'We've hacked a mac!'.

 

[shawnce]

This kind of sounds like putting a 3rd party wireless card with it's own drivers into a Macbook and then yelling 'We've hacked a mac!'.

Then you clearly don't understand the issue.

Why can you people not understand this simple concept?

It is weird isn't it.

 

[padrino121]

Are you serious?

The contest started Thursday morning and the patch wasn't available until Thursday night. They didn't patch it on the fly once the contest began, so it wasn't on the hacked machine. However, we see how they pulled it off now, and the update would have had no impact anyway.

Considerably lowering the security bar to get in had everything to do with it. Either way, they've got quite a long way to go before they prove that OS X is anywhere near as insecure as Windows. Any OS can be hacked given certain circumstances, some are just immensely more difficult to hack than others.

Ah well, in the meantime, we shall continue to wait for the first ever Mac running OS X out in the wild to finally get hacked. It's been 6+ years and 20+ million users so far, and that still hasn't happened.....

The days of magic packets over the wire to hack client machines has by in large been over for quite some time on all OSes including Windows. An exploit like this is quite valid and the same as the large majority of current exploits on all OSes.

How can you say no OSX box has been hacked, have you asked everyone running them if they bothered doing any forensic analysis on their boxes when acting squirrelly? Over 80 exploits have been fixed thus far in 2007 and some are huge remote exploits, with those statistics no one can reasonably assert what you are attempting to above.

 

[deputy_doofy]

Well, I guess I'm pretty safe then because I use FireFox.

 

[Diatribe]

It is interesting though that they survived Day 1 without the firewall enabled.

The exploit is serious but should be easily fixed. Everyone is right, yes by default it is pretty secure but the exploit is a serious one.

There should be more contests like this. Because the last ones seem to have gotten Apple off its butt as we can see in the last Security Update with over 24 fixes...

 

[shawnce]

There should be more contests like this. Because the last ones seem to have gotten Apple off its butt as we can see in the last Security Update with over 24 fixes...

Lets not ignore prior updates that contain as many and some more fixes (way before MOAB)... Apple doesn't need contests to listen to issues, then just need to know about the issue. The simple fact is they cannot find them all themselves (with that said I believe Apple could do more on the fuzzing front to find more issues like these in house before release).

Well, I guess I'm pretty safe then because I use FireFox.

Against this particular vulnerability? Likely. However don't ignore that Firefox (like all browsers) have had exploitable issues found. Just make sure to keep updated.

 

[Ries]

It is POSSIBLE to get INFECTED by using the APPLE browser SAFARI visiting random trusted WEBSITE X, all it needs is the code embedded in an advertising banner or one click on a wrong link.

my god, wonder how some of you even get your macs started. Maybe thats why its so secure.

 

[shawnce]

my god, wonder how some of you even get your macs started. Maybe thats why its so secure.

lol

...of course in general the community has built itself up with an unrealistic belief about the invulnerability of Mac OS X and Mac OS X has seen many cases of FUD with vulnerabilities being blown out proportions... so I can understand some it.

 

[whooleytoo]

Vulnerable web pages will always be a problem. Apple can't do anything if the web site itself was designed in the wrong way which leads to buffer overflows, cross-site scripting, code injection or any other thing. The O.S. is "dumb", as it should be. It is the responsibility of the Web developer to have proper input validations before doing anything the user-supplied input. This is true for Windows, Macs, Linux, Unix, Mainframes, and Space stations alike .

This is just plain wrong.

Web pages are just data files, and scripts to be interpreted. If the parsing of these files causes crashes or security breaches, it's the fault of the browser and OS developer, Apple in this case.

You just cannot possibly rely on every single web designer being competent, and benign. That's a recipe for chaos. The browser and the network APIs in the OS must provide protection from malicious web pages.

 

[EagerDragon]

I am about to get flamed here .... Oh well.

I am not yet going to say it is a valid hack, but there is a good possibility it is.

Guys, the Mac comes with Safari, it is part of the expected software. If there is a weakness in the browser that allows someone external to execute code on the Mac (outside the browser) then it is a significant and serious hack. If the injected code runs with administrator rights, or can get administrator rights, then your box is completly owned by the hack, not just the owner that originaly let them thru. Getting admin rights and being able to execute code would be considered the worst kind of hack.

We also have to look at the complexity of the steps required to take over the system or process and we have to look at the level of stupidity required of the user to determine how likely is that this weakness will be exploited and how many people it will affect.

We no longer look at the level of knowledge required by the hacker, we know most today are quite good, hacking is now a business with lots of money behind it. Mafia and others are involved. True hackers of this nature are better than the security researchers. If the security researcher can find the weakness, it is child play for the hackers. They collaborate and work together as teams to join their knowledge and device plans of atacks. Once they have a way, they put it together and watch the money roll in.

However the hack should not require that the user lower or change the standard security settings. There is nothing wrong with the hack requiring the user to go to a specific URL and doing a few clicks there, but it would be out of the question if the user has to accept to download a payload and then execute it.

This is my area, I work as a security consultant, my response is that I need the specifics of this hack to tell you if it is valid or not. But there is a chance it is.

As to viruses .... I really do not worry about those the way others do. Any code virus or not that came from an external source that is authomatically executed at the OS level is a major hack as long as it does not depend on complete stupidity of the user.

Internet explorer and others including Safari have for years been sensitive to code injection, this is mainly a design issue due to wanting to provide all sorts of new fangled features for the user. Things like downloading images, flash games that play inside the browser, autorefresh of the page viewed, etc. All these provide an oportunity to cause an error in the browser and take over that process. Like for windows, for Macs it is valid to consider them as hacks, they are equivalent in both worlds.

The "allow execution" switch to my knowledge is set by default, so it is not user stupidity, and as it is the default we have to assume it is on when looking at probability, not everyone is informed.

If the same scenario is considered a hack in the windows world, then we have to be fair and consider it a hack here.

I will look into it and let you know. If you have the link to the details please post a responce.

 

[deputy_doofy]

So, if root is not enabled, does the sudo command still grant root access?

I'm still not considering this security hole a huge threat at this point and time. Not once have I ever believed OS X was bullet-proof. However, I'm still safer than all my Windows brethren out there.

 

[shawnce]

So, if root is not enabled, does the sudo command still grant root access?

...among other ways, yes it can grant root privileges.

If the injected code runs with administrator rights, or can get administrator rights, then your box is completly owned by the hack, not just the owner that originaly let them thru.

If you can get arbitrary code to execute (at normal privileges) on the users system you can, with current Mac OS X configuration (at least for the default first user), fully open the file system to yourself... then you can inject code as you see fit and fully take over the system.

 

[whooleytoo]

Just reading the securityfocus.com article - it's a bit scary. People are paying up to 20,000 USD for OSX exploits? Why? Who? In fact, why are TippingPoint - the company who paid the 10,000 bounty for this one - offering so much? What do they gain?

Just publicity? Or do they hope to make money directly from the exploit?

 

[Ries]

Vulnerable web pages will always be a problem. Apple can't do anything if the web site itself was designed in the wrong way which leads to buffer overflows, cross-site scripting, code injection or any other thing. The O.S. is "dumb", as it should be. It is the responsibility of the Web developer to have proper input validations before doing anything the user-supplied input. This is true for Windows, Macs, Linux, Unix, Mainframes, and Space stations alike .

its not the web server running the web page being compromised, its the client (hence apples fault, not the web designer).

And i can guarantee you, that if i made a food dispencer for a space station with a manual saying "press, blue then red button for food" and the guy presses "red, then blue" and a buffer overflow blows the air hatch, I will as programmer get the blame.